Hackers stole Flipboard users’ email addresses and hashed passwords

Flipboard has published a notice on its website about a “security incident” (a term companies prefer to use rather than simply saying they’ve been hacked).

The news aggregation site used by millions of people worldwide says that it recently discovered hackers had access to databases containing Flipboard users’ account details – including usernames, email addresses, hashed passwords, and account tokens for third-party social media accounts.

According to Flipboard, there were two periods of time during which hackers had access to the sensitive information – the almost ten months between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.

Sign up to our newsletter
Security news, advice, and tips.

Users have received an email from Flipboard, telling them that their passwords have been reset. The next time users login they will asked to create a new password.

Obviously it makes sense for users to also ensure that they are not using the compromised password anywhere else on the internet. As we discuss time and time again on this site, you should never reuse the same password in different places. If your puny human brain isn’t capable of remembering lots of unique, complex passwords then you’re in the same boat as me – use a good password manager instead.

Considering that email addresses may also now be in the hands of the hackers, users would be wise to look out for phishing emails which may purport to come from Flipboard.

From the sound of things, Flipboard switched from using the SHA-1 hashing algorithm for password storage to bcrypt, which is held in higher regard, in 2012:

If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1.

Frankly it might have been a good idea for Flipboard to have forced users to reset their passwords back in 2012 when they introduced the stronger hashing algorithm, rather than allowed older weaker-protected passwords to persist for so many years.

Flipboard says it has notified law enforcement about the security breach.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.